NSX – Troubleshoot distributed and edge firewall implementations

1. Verify that the prerequisites are met to run Distributed Firewall (DFW).

  • VMware vCenter Server 5.5 (or later)
  • VMware ESXi 5.1 (or later)
  • VMware NSX 6.0 (or later)

2. Verify that the DFW VIBs are successfully installed on each of the ESXi hosts in the cluster. To do this, on each of the ESXi host that is on the cluster, run this commands:

3. On the ESXi hosts, verify the vShield-Stateful-Firewall service is in a running state:

4. Verify that the Message Bus is communicating properly with the NSX Manager. The process is automatically launched by the watchdog script and restarts the process if it terminates for an unknown reason. Run this command on each of the ESXi hosts on the cluster:

5. Verify that port 5671 is opened for communication in the firewall configuration. This command shows the VSFWD connectivity to the RabbitMQ broker. Run this command on ESXi hosts to see a list of connections from the vsfwd process on the ESXi host to the NSX Manager.

Ensure that the port 5671 is open for communication in any of the external firewall on the environment. Also, there should be at least two connections on port 5671. There can be more connections on port 5671 as there are NSX Edge virtual machines deployed on the ESXi host which also establish connections to the RMQ broker:

6. Verify that VSFWD is configured. This command should display the NSX Manager IP address:

Anything beyond this point is really GSS territory…


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.